如何处理 Wireshark lua 解剖器中的跨场?
How to cope with straddled fields in Wireshark lua dissector?
我正在为跨越八位字节边界的字段的协议编写 Wireshark Lua 解析器:
Octet 0:
bits 0..3: a
bits 4..6: b
bits 7: c
Octet 1:
bits 0..3: x
bits 4..7: y (ls nibble)
Octet 2:
bits 0..3: y (ms nibble)
bits 4..7: z
如何管理 Lua 中的这些字段?
这应该可以帮助您完成大部分工作。 (问题出在 y 上,因为您指出最不重要的半字节在较低的八位字节中,而不是通常预期的最重要的半字节。)
local p_foo = Proto("foo", "FOO Protocol")
local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)
local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)
p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }
function p_foo.dissector(buf, pinfo, tree)
local foo_tree = tree:add(p_foo, buf(0,-1))
pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_a, buf(0, 1))
foo_tree:add(f_foo_b, buf(0, 1))
foo_tree:add(f_foo_c, buf(0, 1))
foo_tree:add(f_foo_x, buf(1, 1))
foo_tree:add(f_foo_y, buf(1, 2))
foo_tree:add(f_foo_z, buf(2, 1))
end
-- Registration: TODO
如果您确实需要按照您的指示处理 y,那么您将不得不进行位交换。可能有更优雅的方法来做到这一点,但这里有一个解决方案:
local p_foo = Proto("foo", "FOO Protocol")
local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)
local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)
p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }
nib2bin = {
[0] = "0000", [1] = "0001",
[2] = "0010", [3] = "0011",
[4] = "0100", [5] = "0101",
[6] = "0110", [7] = "0111",
[8] = "1000", [9] = "1001",
[10] = "1010", [11] = "1011",
[12] = "1100", [13] = "1101",
[14] = "1110", [15] = "1111"
}
function nibble2binary(n)
return nib2bin[bit.band(n, 0x0f)]
end
function p_foo.dissector(buf, pinfo, tree)
local foo_tree = tree:add(p_foo, buf(0,-1))
local y_lsn = bit.band(buf(1, 1):uint(), 0x0f)
local y_msn = bit.band(buf(2, 1):uint(), 0xf0)
local y = bit.bor(y_lsn, y_msn)
pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_a, buf(0, 1))
foo_tree:add(f_foo_b, buf(0, 1))
foo_tree:add(f_foo_c, buf(0, 1))
foo_tree:add(f_foo_x, buf(1, 1))
foo_tree:add(f_foo_y, buf(1, 2)):set_text(".... " ..
nibble2binary(bit.rshift(y_msn, 4)) .. " " .. nibble2binary(y_lsn) ..
" .... = Y: " .. y)
foo_tree:add(f_foo_z, buf(2, 1))
end
-- Registration: TODO
我正在为跨越八位字节边界的字段的协议编写 Wireshark Lua 解析器:
Octet 0:
bits 0..3: a
bits 4..6: b
bits 7: c
Octet 1:
bits 0..3: x
bits 4..7: y (ls nibble)
Octet 2:
bits 0..3: y (ms nibble)
bits 4..7: z
如何管理 Lua 中的这些字段?
这应该可以帮助您完成大部分工作。 (问题出在 y 上,因为您指出最不重要的半字节在较低的八位字节中,而不是通常预期的最重要的半字节。)
local p_foo = Proto("foo", "FOO Protocol")
local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)
local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)
p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }
function p_foo.dissector(buf, pinfo, tree)
local foo_tree = tree:add(p_foo, buf(0,-1))
pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_a, buf(0, 1))
foo_tree:add(f_foo_b, buf(0, 1))
foo_tree:add(f_foo_c, buf(0, 1))
foo_tree:add(f_foo_x, buf(1, 1))
foo_tree:add(f_foo_y, buf(1, 2))
foo_tree:add(f_foo_z, buf(2, 1))
end
-- Registration: TODO
如果您确实需要按照您的指示处理 y,那么您将不得不进行位交换。可能有更优雅的方法来做到这一点,但这里有一个解决方案:
local p_foo = Proto("foo", "FOO Protocol")
local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)
local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)
p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }
nib2bin = {
[0] = "0000", [1] = "0001",
[2] = "0010", [3] = "0011",
[4] = "0100", [5] = "0101",
[6] = "0110", [7] = "0111",
[8] = "1000", [9] = "1001",
[10] = "1010", [11] = "1011",
[12] = "1100", [13] = "1101",
[14] = "1110", [15] = "1111"
}
function nibble2binary(n)
return nib2bin[bit.band(n, 0x0f)]
end
function p_foo.dissector(buf, pinfo, tree)
local foo_tree = tree:add(p_foo, buf(0,-1))
local y_lsn = bit.band(buf(1, 1):uint(), 0x0f)
local y_msn = bit.band(buf(2, 1):uint(), 0xf0)
local y = bit.bor(y_lsn, y_msn)
pinfo.cols.protocol:set("FOO")
foo_tree:add(f_foo_a, buf(0, 1))
foo_tree:add(f_foo_b, buf(0, 1))
foo_tree:add(f_foo_c, buf(0, 1))
foo_tree:add(f_foo_x, buf(1, 1))
foo_tree:add(f_foo_y, buf(1, 2)):set_text(".... " ..
nibble2binary(bit.rshift(y_msn, 4)) .. " " .. nibble2binary(y_lsn) ..
" .... = Y: " .. y)
foo_tree:add(f_foo_z, buf(2, 1))
end
-- Registration: TODO